Stop IdP Domains from being visible in browser for HRD

I have a few questions regarding Identifier First Authentication. We currently use an Embedded Login (lock v11) with Home Realm Discovery based on email domain to handle our enterprise SAML connections. However, we noticed that the setClient() function in auth0-lock is creating a script/file that runs client side with all the enterprise connection settings (including IdP domains) visible to handle the home realm discovery. This is fully visible to anyone who uses our site.

My questions are:

  1. Is there anyone to keep stop this file from being visible to the end user without moving to Universal Login or breaking HRD?
  2. Does the Identifier First Authentication in Universal Login still display this information in the client’s browser?
  3. We want to use custom domains so we can run our own Js scripts in the login page. Are we able to do this with Universal Login and Identifier First Authentication?